User:Dlesos/Dual EC DRBG

Overview
The algorithm uses a single number $$s$$ as state. Whenever a new random number is requested, this integer is updated. The $$k$$-th state is given by

$$ s_{k} = g_P(s_{k-1}) $$

The returned random integer $$r$$ is a function of the state. The $$k$$-th random number is

$$ r_k = g_Q(s_{k}) $$

The function $$ g_P(x) $$ depends on the fixed elliptic curve point $$ P $$. $$ g_Q(x) $$ is similar except that it uses the point $$ Q $$. The points $$ P $$ and $$ Q $$ stay constant for a particular implementation of the algorithm.

Details
The algorithm operates exclusively on a finite field $$Z_p$$ where $$p$$ is prime. The state, the seed and the random numbers are all elements of this field. Field size

$$p = ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551_{16}$$

An elliptic curve over $$Z_p$$ is given

$$ y^2= x^3- 3x + b $$

where the constant $$b$$ is

$$b = 5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b_{16} $$

The points on the curve are $$E(Z_p)$$. Two of these points are given as the fixed points $$P$$ and $$Q$$

$$P, Q \in E(Z_p) $$

Their coordinates are

$$\begin{align} P_x &= 6b17d1f2 e12c4247 f8bce6e5 63a440f2 77037d81 2deb33a0 f4a13945 d898c296_{16} \\ P_y &= 4fe342e2 fe1a7f9b 8ee7eb4a 7c0f9e16 2bce3357 6b315ece cbb64068 37bf51f5_{16} \\ Q_x &= c97445f4 5cdef9f0 d3e05e1e 585fc297 235b82b5 be8ff3ef ca67c598 52018192_{16} \\ Q_y &= b28ef557 ba31dfcb dd21ac46 e2a91e3c 304f44cb 87058ada 2cb81515 1e610046_{16} \\ \end{align}$$

As state and random values are given as numbers of $$Z_p$$ and not points of $$E(Z_p)$$, a function to extract the x-coordinate is used

$$X(x,y) = x $$

Random numbers are also truncated (a bit) before being output

$$t(x) = x\ \text{mod} \ \frac{p}{2^{16}} $$

The functions $$ g_P $$ and $$ g_Q $$

$$ g_P(x) = X(P^x) $$

$$ g_Q(x) = t(X(Q^x)) $$

The generator is seeded with a point from $$Z_n$$

$$ s_1 = g_P(seed) $$

The state is $$Z_n$$

$$ s_{k} = g_P(s_{k-1}) $$

$$ r_k = g_Q(s_{k}) $$

The random numbers

$$ r_1, r_2, \ldots $$